9.Ch_13_Digital Signature and Authentication Protocols

Digital Signature and Authentication

Protocols

Asst. Prof. Shreyas Patel 2

Introduction

A digital signature is an authentication mechanism that enablesthe creator of a message to attach a code that acts as asignature. The signature is formed by taking the hash of themessage and encrypting the message with the creators privatekey. The signature guarantees the source and integrity of themessage.

Mutual authentication protocols enable communicating partiesto satisfy themselves mutually about each others identity andto exchange session keys.

In one-way authentication, the receipt wants some assurancethat message is form the alleged sender.

4/9/2014


Digital Signature

Message authentication protects two parties who exchange

messages from any third party.

However, it does not protect the two parties against each other.

Several forms of dispute between the two are possible.

For example, suppose that john sends an authenticated

message to mary, using one of the scheme of fig. 11.4.

consider the following dispute that could arise:

1. mary may create a different message and claim that it came

from jonh. Mary would simply have to create a message and

append an authentication code using the key that john and

mary share.

4/9/2014


Digital Signature (Conti)

2. john can deny sending the message. Because it is possible

for mary to create a message, there is no way to prove that

john did in fact send the message.

Here is example of first scenario: an electronic funds transfer

takes place, and the receiver increases the amount of funds

transferred and claims that the larger amount had arrived from

the sender.

An example of the second scenario is that an electronic mail

message contains instructions to a stockbroker for a

transaction subsequently turns out badly. The sender pretends

that the message was never sent.

4/9/2014


Digital Signature (Conti)

In situations where there is not complete trust between sender

and receiver, something more than authentication is needed.

The most attractive solution to this problem is the digital

signature.

It must have the following properties:

It must verify the author and the data and time of the signature.

It must to authenticate the contents at the time of the signature.

It must be verifiable by third parties, to resolve disputes.

4/9/2014

Generic Model of Digital Signature Process

4/9/2014 Asst. Prof. Shreyas Patel 6

Simplified Depiction of Essential Elements of Digital

Signature Process

4/9/2014 Asst. Prof. Shreyas Patel 7


Direct Digital Signature

The direct digital signature involves only the communicating

parties (source, destination).

It is assumed that the destination knows the public key of the

source.

A digital signature may be formed by encrypting the entire

message with the senders private key or encrypting a hash

code of the message with the senders private key.

All direct schemes describe so far share a common weakness.

The validity of the scheme depends on the security of the

senders private key.

If sender later wishes to deny sending a particular message, the

sender can claim that the private key was lost or stolen and

that someone else created his or her signature.

4/9/2014


Arbitrated Digital Signature

The problems associated with direct digital signatures can be

addressed by using an arbiter.

In arbitrated signature, every singed message from a sender X

to a receiver Y goes first to an arbiter A, who subjects the

message and its signature to a number of tests to check its

origin content.

The message is then dated and sent to Y with an indication

that it has been verified to the satisfaction of the arbiter.

The presence of A solves the problem faced by direct

signature schemes: that X might disown the message.

The arbiter plays a sensitive and crucial role in this sort of

scheme, and all parties must have a great deal of trust that the

arbitration mechanism is working properly.

4/9/2014


Arbitrated Digital Signature (Conti)

4/9/2014



It is assumed that the sender X and the arbiter A share a secret

key Kxa and that A and Y share secret key Kay.

X constructs a message M and computes its hash value H(M).

Then X transmits the message plus a signature to A.

The signature consists of an identifier IDx of X plus the hash

value, all encrypted using Kxa.

A decrypts the signature and checks the hash value to validate

the message.

Then A transmits a message to Y, encrypted with Kay.

The message includes IDx, the original message from X, the

signature, and a timestamp.

Y can decrypt this to recover the message and the signature.

4/9/2014



The timestamp informs Y that this message is timely and not a

replay.

Y can store M and the signature.

4/9/2014


Digital Signature Standard

The National Institute of Standards and Technology (NIST) has

publish federal information processing standards FIPS 186,

known as the Digital Signature Standard (DSS).

The DSS makes use of the secure hash algorithm (SHA) and

present a new digital signature technique the digital signature

algorithm (DSA).

The DSS originally proposed in 1991 and revised in 1993 in

response to public feedback concerning the security of the

scheme.

4/9/2014


Digital Signature Standard (Conti)

The DSS Approach:

The DSS uses an algorithm that is designed to provide only

digital function.

Unlike RSA it cannot be used for encryption or key exchange.

Nevertheless it is a public-key technique.

Figure 13.1 contrasts the DSS approach for generating

signature to that RSA.

4/9/2014



4/9/2014



In RSA based approach only sender knows the private key,

only the sender could have produced a valid signature.

The DSS approach also makes use of a hash function.

The hash code is provided as input to a signature function

along with a random number k generated for this particular

signature.

The signature function also depends on the private key (PRa)

and global public key (PUg).

The result is a signature consisting of two components labeled

s and r.

4/9/2014



At the receiving end, the hash code of the incoming message is

generated.

This plus the signature is input to a verification function.

The output of the verification function is a value that is equal to

the signature component r if the signature is valid.

The signature function is such that only the sender with the

knowledge of the private key could have produced the valid

signature.

4/9/2014


Kerberos

Kerberos is an authentication service developed as part ofProject Athena at MIT.

Rather than building in elaborate authentication protocol ateach server, Kerberos provides a centralized authenticationserver whose function is to authenticate users to servers andservers to users.

Unlike most other authentication schemes, Kerberos reliesexclusively on symmetric encryption, making no use of public-key encryption.

Two versions of Kerberos are in common use: v4 & v5.

4/9/2014


Kerberos

Kerberos support following approch for security.

It requires the user to prove his or her identity for each service invoked.Also require that servers prove their identity to clients.

Kerberos assumes a distributed client/server architecture and

employs one or more kerberos server to provide an

authentication service.

Kerberos identified requirements as:

secure

reliable

transparent

scalable

4/9/2014


Kerberos v4 Overview

The core of Kerberos is the Authentication and Ticket Granting Servers these are trusted by all users and servers and must be securely administered.

The protocol includes a sequence of interactions between the client, AS,TGT and desired server.

a basic third-party authentication scheme

have an Authentication Server (AS)

users initially negotiate with AS to identify self

AS provides a non-corruptible authentication credential (ticket grantingticket TGT)

have a Ticket Granting server (TGS)

users subsequently request access to other services from TGS on basis ofusers TGT

4/9/2014


Kerberos v4 Dialogue

4/9/2014

1. obtain ticket granting ticket from AS

once per session

2. obtain service granting ticket from TGT

for each distinct service required

3. client/server exchange to obtain service

on every service request


Kerberos v4 Overview

4/9/2014


Kerberos v4 Realms

4/9/2014

A full-service Kerberos environment consisting of a

Kerberos server, a number of clients, and a number of

application servers is referred to as a Kerberos realm.

A Kerberos realm is a set of managed nodes that

share the same Kerberos database, and are part of the

same administrative domain.

If have multiple realms, their Kerberos servers must

share keys and trust each other.


Kerberos v4 Realms

4/9/2014


Kerberos v4 Realms

4/9/2014

Figure shows the authentication messages whereservice is being requested from another domain.

The ticket presented to the remote server indicates therealms in which the user was originally authenticated.

The server chooses whether to honor the remoterequest.

One problem presented by the foregoing approach isthat it does not scale well to many realms, as eachpair of realms need to share a key.


X.509 CERTIFICATES

4/9/2014

X.509 is part of the X.500 series of recommendations that

define a directory service.

The directory is, in effect, a server or distributed set of servers

that maintains a database of information about users.

The information includes a mapping from user name to

network address, as well as other attributes and information

about the users.

X.509 defines a framework for the provision of authentication

services by the X.500 directory to its users.


X.509 CERTIFICATES

4/9/2014

X.509 is based on the use of public-key cryptography and

digital signatures.

The heart of the X.509 scheme is the public-key certificate

associated with each user.

These user certificates are assumed to be created by some

trusted certification authority (CA) and placed in the directory

by the CA or by the user.

The directory server itself is not responsible for the creation of

public keys or for the certification function; it merely provides

an easily accessible location for users to obtain certificates.


Generation of public key certificates

4/9/2014


X.509 Certificates

4/9/2014


X.509 CERTIFICATES

4/9/2014

Version: Differentiates among successive versions of the certificate

format; the default is version 1. 2 and 3 are also possible.

Serial number: An integer value unique within the issuing CA that

is unambiguously associated with this certificate.

Signature algorithm identifier: The algorithm used to sign the

certificate together with any associated parameters. Because this

information is repeated in the signature field at the end of the

certificate.

Issuer name: X.500 is the name of the CA that created and signed

this certificate.


X.509 CERTIFICATES

4/9/2014

Period of validity: Consists of two dates: the first and last on which

the certificate is valid.

Subject name: The name of the user to whom this certificate

refers.That is, this certificate certifies the public key of the subject

who holds the corresponding private key.

Subjects public-key information: The public key of the subject,

plus an identifier of the algorithm for which this key is to be used,

together with any associated parameters.

Issuer unique identifier: An optional-bit string field used to

identify uniquely the issuing CA in the event the X.500 name has

been reused for different entities.


X.509 CERTIFICATES

4/9/2014

Subject unique identifier: An optional-bit string field used to

identify uniquely the subject in the event the X.500 name has been

reused for different entities.

Extensions: A set of one or more extension fields. Extensions were

added in version 3.

Signature: Covers all of the other fields of the certificate; it

contains the hash code of the other fields encrypted with the CAs

private key.This field includes the signature algorithm identifier.


X.509 CERTIFICATES

4/9/2014


X.509 CERTIFICATES

4/9/2014

Because certificates are unforgeable, they can be placed in a

directory without the need for the directory to make special efforts

to protect them.

All user certificates can be placed in the directory for access by all

users.

In addition,a user can transmit his or her certificate directly to other

users.

In either case, once B is in possession of As certificate, B has

confidence that messages it encrypts with As public key will be

secure from eavesdropping and that messages signed with As

private key are unforgeable.

Documents

9.Ch_13_Digital Signature and Authentication Protocols